Received "Could not find custom hooks file at /zap/wrk/my-hooks.py" when running zap-baseline.py or zap-full-scan.py from docker container
638 views
Skip to first unread message
Ivan Djorgon
Jan 21, 2022, 3:13:43 PM1/21/22
to OWASP ZAP User Group
Docker image version used: owasp/zap2docker-stable.
Hello there! I believe this has been brought up before but I received "Could not find custom hooks file at /zap/wrk/my-hooks.py" when running zap-baseline.py or zap-full-scan.py from within docker container. The message of interest is:
2022-01-20 20:13:21,378 Could not find custom hooks file at /zap/wrk/my-hooks.py
2022-01-20 20:13:21,378 A file based option has been specified but the directory '/zap/wrk' is not mounted
In another thread, it was said that this is an Info Message and not an Error / Warning.
I will try to explain my scenario and provide details/steps as best as I can, considering I can't share any of the Project information. I tried to follow the best practices, such as ensuring to test locally with desktop client first and then to move on to testing locally via automation.
Let me just say that the app is behind basic auth, and scanning it using desktop client works perfectly fine (both spider and active scan). I was able to set up and configure authentication correctly, and I've been running the scans periodically against a couple of different test environments and I get consistent results every time.
Once I made sure that is stable I proceeded to explore zap automation. I pulled latest stable docker image, and ensured I did all of the prep work from configuring the docker container as well as the context preparation (exporting/saving the context file), and exporting/saving the selected URLs. [I have moved the required context file and others to the docker container; also have a simple bash script that opens/reads the 'selected URLs', which is run before the baseline script.]
As a result, when I attempt to trigger either zap-baseline.py or zap-full-scan.py from within docker container nothing happens and the "Could not find custom hooks file..." message is thrown immediately. Tests were triggered as follows:
zap-baseline.py -t https://......com -n my.context -U loginuser -I
As a comparison, I was able to set up, configure and trigger successful scans using ZAP CLI for both spider baseline and active-scan options. I've gotten solid results which are the same as the "manual desktop app" results. I'm not sure why I would need to mount/specify custom hooks file(s), as the "same" approach works for ZAP CLI.
I've tried running ZAP CLI from within docker, and the active-scan errors out due to unrelated errors (I get kicked out of the docker container before scan completion - don't think it's related to ZAP, i.e. JavaScript error: resource://pdf.js/PdfStreamConverter.jsm, line 1115: NS_ERROR_FAILURE: Ignore PDF.js for this download.). But, I might have to write another email for that.
Any insight or suggestions would be much appreciated!
Thank you,
Ivan
Hello there! I believe this has been brought up before but I received "Could not find custom hooks file at /zap/wrk/my-hooks.py" when running zap-baseline.py or zap-full-scan.py from within docker container. The message of interest is:
2022-01-20 20:13:21,378 Could not find custom hooks file at /zap/wrk/my-hooks.py
2022-01-20 20:13:21,378 A file based option has been specified but the directory '/zap/wrk' is not mounted
In another thread, it was said that this is an Info Message and not an Error / Warning.
I will try to explain my scenario and provide details/steps as best as I can, considering I can't share any of the Project information. I tried to follow the best practices, such as ensuring to test locally with desktop client first and then to move on to testing locally via automation.
Let me just say that the app is behind basic auth, and scanning it using desktop client works perfectly fine (both spider and active scan). I was able to set up and configure authentication correctly, and I've been running the scans periodically against a couple of different test environments and I get consistent results every time.
Once I made sure that is stable I proceeded to explore zap automation. I pulled latest stable docker image, and ensured I did all of the prep work from configuring the docker container as well as the context preparation (exporting/saving the context file), and exporting/saving the selected URLs. [I have moved the required context file and others to the docker container; also have a simple bash script that opens/reads the 'selected URLs', which is run before the baseline script.]
As a result, when I attempt to trigger either zap-baseline.py or zap-full-scan.py from within docker container nothing happens and the "Could not find custom hooks file..." message is thrown immediately. Tests were triggered as follows:
zap-baseline.py -t https://......com -n my.context -U loginuser -I
As a comparison, I was able to set up, configure and trigger successful scans using ZAP CLI for both spider baseline and active-scan options. I've gotten solid results which are the same as the "manual desktop app" results. I'm not sure why I would need to mount/specify custom hooks file(s), as the "same" approach works for ZAP CLI.
I've tried running ZAP CLI from within docker, and the active-scan errors out due to unrelated errors (I get kicked out of the docker container before scan completion - don't think it's related to ZAP, i.e. JavaScript error: resource://pdf.js/PdfStreamConverter.jsm, line 1115: NS_ERROR_FAILURE: Ignore PDF.js for this download.). But, I might have to write another email for that.
Any insight or suggestions would be much appreciated!
Thank you,
Ivan
Ivan Djorgon
Jan 21, 2022, 5:06:29 PM1/21/22
to OWASP ZAP User Group
One more thing: I did a curl command (from the docker container), and I was able to hit the corresponding URL.
Simon Bennetts
Jan 22, 2022, 6:19:23 AM1/22/22
to OWASP ZAP User Group
The important line is: "A file based option has been specified but the directory '/zap/wrk' is not mounted"
- If you use ‘file’ params then you need to mount the directory those file are in or will be generated in, eg
- docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-baseline.py \ -t https://www.example.com -g gen.conf -r testreport.html
You are specifying a context file - that is on your local drive.
You are running docker without mounting the drive so ZAP cannot access the context file - this is a docker restriction.
You'll have to mount the drive before this can work.
Cheers,
Simon
Ivan Djorgon
Feb 3, 2022, 3:56:41 PM2/3/22
to OWASP ZAP User Group
Thanks Simon.
I am just getting back to this as I didn't have a chance to work on it during the previous sprint.
Couple of follow up questions/points:
- I mounted the drive as specified above and the full scan works. However, the first line of output is still: 20:34:17,680 Could not find custom hooks file at /home/zap/.zap_hooks.py. Should I ignore it? Does it impact the scan and subsequent results?
- As mentioned, the scan works (I think). I get output during the scan with the html report being saved. There are several alerts/vulnerabilities listed in the html report... My 'full command' is as follows:
Thank you,
Ivan
I am just getting back to this as I didn't have a chance to work on it during the previous sprint.
Couple of follow up questions/points:
- I mounted the drive as specified above and the full scan works. However, the first line of output is still: 20:34:17,680 Could not find custom hooks file at /home/zap/.zap_hooks.py. Should I ignore it? Does it impact the scan and subsequent results?
- As mentioned, the scan works (I think). I get output during the scan with the html report being saved. There are several alerts/vulnerabilities listed in the html report... My 'full command' is as follows:
docker run -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-full-scan.py -t https://.........com -I -j -m 10 -T 60 -n some.context -U test-user -g gen.conf -r 20220203-zap-full-scan.html
This scan takes roughly two minutes to execute and complete. Is this expected? (I was expecting to run for longer.)Thank you,
Ivan
Ivan Djorgon
Feb 4, 2022, 8:55:39 AM2/4/22
to OWASP ZAP User Group
Just to add that I also ran the zap-baseline.py scan and I see "Could not find custom hooks file" message as well. It doesn't seem to impact the running of the scan. The scan takes a minute or two, and outputs a report.
Simon Bennetts
Feb 7, 2022, 5:03:17 AM2/7/22
to OWASP ZAP User Group
The message: "Could not find custom hooks file at /home/zap/.zap_hooks.py" is an informational one - its only a problem if you _did_ supply a hooks file. If you did not then you can safely ignore it.
I would expect a full scan of a non trivial web app to take a significant amount of time, potentially many hours.
My first guess is that the authentication is failing somehow.
Have you tested the context and authentication using the ZAP desktop?
Cheers,
Simon
Ivan Djorgon
Feb 7, 2022, 9:23:20 AM2/7/22
to OWASP ZAP User Group
Thanks Simon.
Hmm, I will have to dig in but authentication is working with both the zap desktop and zap-cli. For both cases, my full scan takes roughly 30-40 minutes (whether it's triggered from the desktop client or via command using zap-cli).
One thing to add. I manually explored the website and exported the URLs file to my directory. I then run this script (before running the full scan), and open each URL which is present in the file with the zap-cli open url command (this takes approx./at least 5 minutes if not longer). I subsequently run the full scan with zap-cli. I assume I'd have to do the same with zap docker? I believe in this case it should take the appropriate amount of time.
This small bash script is in my directory. How would you recommend mounting it/running it on zap docker?
Thank you,
Ivan
Hmm, I will have to dig in but authentication is working with both the zap desktop and zap-cli. For both cases, my full scan takes roughly 30-40 minutes (whether it's triggered from the desktop client or via command using zap-cli).
One thing to add. I manually explored the website and exported the URLs file to my directory. I then run this script (before running the full scan), and open each URL which is present in the file with the zap-cli open url command (this takes approx./at least 5 minutes if not longer). I subsequently run the full scan with zap-cli. I assume I'd have to do the same with zap docker? I believe in this case it should take the appropriate amount of time.
This small bash script is in my directory. How would you recommend mounting it/running it on zap docker?
Thank you,
Ivan
Reply all
Reply to author
Forward
0 new messages